Previous slide Next slide Toggle fullscreen Open presenter view
Microsoft Windows is the most used Operating System in companies
Windows Desktop 10
Windows Server 2022
Attackers target Windows most than any other OS in the world
Active Directory (AD)
Directory service: list of users, endpoints...
User management: authentication, authorizations...
DNS
DHCP
...
Usually, distributed in several Windows Servers
Types of users
Local users: they use a single computer
Local administrators: manage a single computer
SYSTEM: the kernel
Domain Users: they can use any computer
Domain Administrators: manage the AD
The objective of the attackers: become a domain admin
Terminology
Asset : something in the environment that must be protectedVulnerability : a weakness within your organization that can be exploitedRisk : the likelihood a threat was successful in breaching your networkThreat : anything that is trying to degrade, disrupt, or steal your asset
Risk-based approach
R i s k = T h r e a t × V u l n e r a b i l i t y Risk = Threat \times Vulnerability
R i s k = T h re a t × V u l n er abi l i t y
Priorize actions based on risk :
Identify high risk threats and defense against them
Accept low risk threats and have a plan if they happened sometime
Risk assesment : the practice of discovering, examining and priorizing cybersec risks that might occur in an organization business
Initial access
Lateral movement
First, the attacker gains control of a local user
Then, escalates to local admin
Then, moves to the AD (domain admin)
Then, moves to any computer in the network
How to protect an endpoint?
Default system tools
Enhanced system tools
Antivirus
Endpoint detection and response (EDR)
Windows: Event Viewer
Windows applications
Logs process creation with full command line for both current and parent processes.
Records the hash of process image files using SHA1 (the default), MD5, SHA256 or IMPHASH.
Includes a process GUID in process create events to allow for correlation of events even when Windows reuses process IDs.
Includes a session GUID in each event to allow correlation of events on same logon session.
Logs loading of drivers or DLLs with their signatures and hashes.
Logs opens for raw read access of disks and volumes.
Logs network connections, including each connection’s source process, IP addresses, port numbers, hostnames and port names.
Detects changes in file creation time to understand when a file was really created. - Rule filtering to include or exclude certain events dynamically.
Osquery
Osquery exposes an OS as a relational database. This allows you to write SQL queries to explore operating system data. With osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events or file hashes.
https://www.osquery.io/
Challenge
You must get this data for all your devices
This is a lot of data!
Can we automate the process?
How to protect a Network?
SIEM
Endpoint detection and response (EDR)
Intrusion Detection System (IDS)
SIEM
A Security Information And Event Management (SIEM) solution supports threat detection, compliance and security incident management through the collection and analysis (both near real-time and historical) of security events, as well as a wide variety of other event and contextual data sources.
Architecture
Challenges
We already have a SIEM in our company. Is it not enough?
Are you monitoring 100, 1000, or 10000 hosts?
Do you have budget for commercial tools?
How heterogeneous is your infrastructure?
Are you just looking for security alerts, or do you also need persistent event logging for auditing purposes?
Why do you get that many false positives/negatives? Are you investing time in customizing the alarms?
What response time do you wish to achieve? Do you need real time notifications?
Do you have time to improve/tune your solution or do you need something working 100% ASAP?
OS proposal
Wazuh
Commercial examples
QRadar
Splunk
Panda WatchGuard
Endpoint Protection and Response (EDR)
An EDR is a system that monitors (SIEM) and responds, either automatically or manually.
Features:
Centralized server, gets events from all endpoints
Manages IOCs and BIOCs (behavior indicators). Examples:
executing apps from macros
large uploads to servers
antivirus
Response: block an application, remove a IOC, isolate an endpoint
Security Operations Center
SOC
A centralized team in a single organization that monitors the information technology environment for vulnerabilities, unauthorized activity, acceptable use/policy/procedure violations, intrusions into and out of the network, and provides direct support of the cyber incident response process.
SOC Services
Reactive:
Monitoring and alerts
Incident Response
Forensics / eDiscovery
Proactive:
Threat Hunting
Health Monitoring
Trained personal
Highly skilled people can produce more accurate and timely results with a moderate product than novices with an expensive toolset.
Getting into the hunt
Assume that there is a likely compromise, become detection oriented and proactively mine data looking for patterns of intrusion and misbehaviour.
Define metrics
Number of data sources
MTT close an alarm
Implemented Use Cases
number of not-reviewed alerts after 24 hours
...
What makes good SOCs good
A day as a SOC analyst
Alarm triage
Dashboard review
Review security state
System health
Active threat hunting
Review intelligence data
Dashboard
Indicators of Compromise (IoC)
An artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion.
Yara rules:
Mick Douglas (@bettersafetynet)
I've had 3 calls so far today (it's not even 10) about defending against Russian cyber ops. I'm tired of having the same call... so... here's what I've told everyone. This is the playbook you need... but it's not going to be what you think it will be. Ready? Lets go!
Feb 23, 2022
Watch your egress. Firewalls work both ways. Carefully monitor outbound traffic. DMZ servers RESPOND to external requests. Look for DMZ systems initiating outbound. This is what "phoning home" (aka C2) looks like.
you will have a handful of DMZ servers initiating outbound. File xfer systems, any mail server (you likely shouldn't be running your own). Some web services may also initiate outbound.
Don't get too hung up on IP address blocks. Geo blocking has some advantages, but the only time Russian groups come from Russian IP space is when they want to rub it in. Start treating the entire internet as hostile... because it is.
You 100% must know what is "normal" exes on your systems. App control (used to be call white listing) is no longer a "nice to have" it's IMO table stakes. Anyone who claims otherwise is giving dated & dangerous advice. Use native logging functions to know the apps that are running on systems.
EDR
Windows SRUM. It has a 30 day rolling view of EVERY exe run
auditd or sysmon
Because many orgs over rely on EDR and SIEM now, LOL attacks are highly successful. Attackers blend in. They are using core parts of the OS against you. None of your tools will stop these. You likely already have exclusions for the ports and protocols these tools use.
Don't buy vendor tools to catch the attackers. No matter how good the demo is... it's a demo.
If your IR plan doesn't have a rapid (host and network level) isolation workflows. Make it just after the stuff I've talked about in prior tweets. Drill it. You're going to need to work at a speed you likely haven't before.
Increase your logging, while both filtering out stuff you don't care about at your aggregators, and SHORTENING the retention length for the data you don't need long term.
The playbooks we've been following for too long are now being used against us. You can either accept that, or be beaten before you even show up to fight.
That said, you can win this fight. Once the attackers are in, you only need to detect them once. You can do stuff like make MSFT an untrusted publisher on a Windows box by allowing ONLY what is listed in SRUM analysis.
Your hosts tell you how they're being used and abused. Start listening. Prevent isn't possible. Try anyway. Move to a detect and respond model. That's our path to victory.
But it's rare.
Most orgs? Your exception list will fit on a single sheet of paper.
A windows network might be very complex, with tens of thousand of devices talking to each other. Some services must be centralized in the Active Directory
The Active Directory (AD) is the central console to manage Windows systems inside a network.
The AD centralizes authentication and permissions
Each user has different permissions on a Windows endpoint
- local user / admin can access only this computer
- domain users can access any computer in the network
- domain admins manage the AD, they are not expected to access a computer... most of the time
- SYSTEM: kernel level. Similar to root in Linux, but it does not have an assotiated user
The objective of the attackers: control a domain account
There are automatic tools to run some of these processes:
- vulnerability scanner: nessus, qualys, sentinel... https://owasp.org/www-community/Vulnerability_Scanning_Tools
- threat managements: threatq (IOC management)...
- threat intelligence: blueliv, cybelangel...
The link takes to a SANS poster with lots of information about the artifacts you can check to learn about the activity on a system: opened files, applications... It is a wonderful resource for information, updated often
- Windows events are not designed with security in mind
- They are complex and not very well documented
Important applications, such as svchost (host of system services) has a very well know behaviour
Any deviation is an alarm
Can we monitor this behaviour